chroot + ssh concerns

Sergio Gelato Sergio.Gelato at
Thu Jan 1 22:12:46 EST 2004

* Lev Lvovsky [2003-12-31 11:47:41 -0800]:
> cfengine might be what we need unless we decide to roll our own.

I concur with the feeling expressed by various people that a "pull"
system (possibly with a trigger mechanism, which incidentally is also
part of cfengine) is generally better than a "push".

However, I have also looked rather closely at the cfengine code base
and find it to be very difficult to audit (and replete with bugs).
Particular problem areas are lack of bounds checking and references
to variables with undefined values.
The idea behind cfengine is very nice; not so the coding discipline.
My impression is that the author is (a) overworked, and (b) treating
cfengine more as a research project than an industrial-strength tool.

But we're straying off topic for this list. On the "push over ssh"
side, how about simply using a command= option in the target hosts'
authorized_keys file, and some reasonably safe command like
	pax -r -s '#.*/.*##'
(i.e., unpack the tar or cpio archive on stdin, skipping all
pathnames that contain a slash)? Season to taste, of course;
in particular, you may have somewhat different filtering requirements.
Now, I think there have been some bugs with subsystems (sftp)
being enabled even for keys that are restricted by command=
options, so you should definitely test, perhaps audit the source
code, and report any problems that you find. But at least in
principle this is supported by stock OpenSSH.

More information about the openssh-unix-dev mailing list